[TYPO3-core] RFC #14367: Install Tool does not provide a logout possibility

Ernesto Baschny [cron IT] ernst at cron-it.de
Fri May 14 15:12:46 CEST 2010


Helmut Hummel schrieb am 14.05.2010 10:55:
> Hi,
> 
> On 14.05.10 00:24, Steffen Kamper wrote:
>> Helmut Hummel schrieb:
>>> KEEP_FILE must only be used in development environments and
>>> in these environments I don't care about logging out of the install
>>> tool, so I won't klich such a button.
>>>
>>> In production context this file should be deleted, like it is done in
>>> the user setup thingy.
>> this turns the feature ad absurdum. If someone manually enter KEEP_FILE
>> into this öock file he doesn't want that the file is been deleted by any
>> action.
>> Either we drop this feature or we respect it.
> 
> Then drop it.
> 
> I do see not see at all the benefit in having a logged out status for
> the Install Tool. This thing is proven to be dangerous and experince
> tells us that beeing logged out does not mitigate this fact.
> 
> There's also no point in unsing the KEEP_FILE thing while developing and
> logging out the Install Tool. Why sould I click such a button, which
> gives me no benefit at all?
> 
>> The deletion in user setup isn't correctly implemented - with this
>> content the button "delete lock file" should be disabled too.
> 
> This depends how you look at it. Especially for the user setup: Having a
> "delete the file" button, which actually does not delete it is awkward.
> 
> If this feature goes in, I would also not name the Label "Log out from
> Install Tool" but "Disable Install Tool" to make the difference clear.
> 
> BTW. We're discussing to keep a file, which is two clicks away creating,
> but is really a great danger for a TYPO3 installation.
> 
> I would really put security over convenience here.

I think both features have valid reasons to co-exist: The KEEP_FILE
setting is useful in many situations (development environments). The
Install Tool logout also has its reasons: i.e. if you leave your browser
open and walk away, someone might "reuse" your Install Tool session.
This is also a potential risk in development environments with KEEP_FILE!

So I don't see why we should discuss the KEEP_FILE feature in this
specific context.

The convenience of deleting the (non-KEEP_FILE enable-file) on logout is
an added feature that will ease most situations where you just need
"quick access" to the install tool and then just "Logout" to disable it
again. The file would have been deleted after the "timeout" anyway.

So I +1 on the handling as has been commited in v5 and hope we can agree
on it at least afterwards. :)

Cheers,
Ernesto


More information about the TYPO3-team-core mailing list